The RBN Operatives: Part II

In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.

What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to 76.135.167.22. Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, judex.cn located at IP address 210.145.102.19 also bore an A record address of 79.135.167.22. The domains at 79.135.167.22 used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, ns1.guagua.net would be returned. Rarely, ns1.srv.com (located at 210.145.102.19) would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of ns1.srv.com led nowhere. Similarly judex.com was a dead end.

The following diagram portrays Mr. Astakhov's control over the botnet command and control servers utilized in the cyber first strike:





The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for judex.cn.









The DNS record at judex.cn indicates that guagua.net uses it as a name server, but this information has not been available at guagua.net itself:




Mr. Astakhov has a history of cyber criminal activity. Note the Artists Against 419 web site entry for Mr. Astakhov's alexexpress.com: http://db.aa419.org/fakebanksview.php?key=28770. Mr. Astakhov was previously noted as a Zlob trojan distributor at malwaredomainlist.com (and that data is still available in Google's cache). Mr. Astakhov's domain theworldnews5.com is known to install the RBN fake antivirus software xpantivirus 2009; note http://forum.hosts-file.net/viewtopic.php?f=9&p=4511.

I have previously determined that Alexey Vasiliev was responsible for the spam attack which besmirched the President of Georgia: